Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <[email protected]>
and subject line Close 1100611
has caused the Debian Bug report #1100611,
regarding bookworm-pu: package libcap2/2.66-4+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1100611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100611
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libcap2
[ Reason ]
This cherry-picks a fix + test for CVE-2025-1390, where capability
configurations not starting with "@" were incorrectly recognized as
group names.
In discussion with the Security Team, we agreed that including this fix
in the next point release for bookworm would be sufficient.
[ Impact ]
The package would remain vulnerable if this change is not accepted.
[ Tests ]
This change includes a test for the fix.
I've built and successfully run the tests against bookworm.
[ Risks ]
The fix is trivial (a continue statement was obviously missing in a
branch of the parsing code).
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
This only add two patches on top of the previous release: one for the
fix, and one for the test.
[ Other info ]
None.
Best,
Christian
diff -Nru libcap2-2.66/debian/changelog libcap2-2.66/debian/changelog
--- libcap2-2.66/debian/changelog 2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/changelog 2025-03-15 13:43:35.000000000 +0100
@@ -1,3 +1,11 @@
+libcap2 (1:2.66-4+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick patch fixing CVE-2025-1390.
+ In /etc/security/capability.conf, configurations not starting with "@"
+ were incorrectly recognized as group names. (Closes: #1098318)
+
+ -- Christian Kastner <[email protected]> Sat, 15 Mar 2025 13:43:35 +0100
+
libcap2 (1:2.66-4) unstable; urgency=medium
* Apply upstream patches for CVE-2023-2602, CVE-2023-2603
diff -Nru libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch
--- libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/Add-a-test-for-bad-group-prefix.patch 2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,26 @@
+From: "Andrew G. Morgan" <[email protected]>
+Date: Sun, 16 Feb 2025 20:17:08 -0800
+Subject: Add a test for bad group prefix.
+
+The previous commit fixed a bug with the config parsing in pam_cap.
+This is a test that we don't regress against that fix.
+
+Signed-off-by: Andrew G. Morgan <[email protected]>
+---
+ pam_cap/sudotest.conf | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/pam_cap/sudotest.conf b/pam_cap/sudotest.conf
+index ff528ce..b73244d 100644
+--- a/pam_cap/sudotest.conf
++++ b/pam_cap/sudotest.conf
+@@ -10,6 +10,9 @@ cap_setuid,cap_chown @three
+ # neither of these should fire
+ cap_chown beta gamma
+
++# just alpha, but the wrong prefix - so should be ignored
++!cap_chown,cap_setgid +one
++
+ # just alpha
+ !cap_chown,cap_setuid @one
+
diff -Nru libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch
--- libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcap2-2.66/debian/patches/pam_cap-Fix-potential-configuration-parsing-error.patch 2025-03-15 13:43:35.000000000 +0100
@@ -0,0 +1,28 @@
+From: Tianjia Zhang <[email protected]>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues. Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <[email protected]>
+Signed-off-by: Andrew G. Morgan <[email protected]>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+
+ if (line[0] != '@') {
+ D(("user [%s] is not [%s] - skipping", user, line));
++ continue;
+ }
+
+ int i;
diff -Nru libcap2-2.66/debian/patches/series libcap2-2.66/debian/patches/series
--- libcap2-2.66/debian/patches/series 2023-05-15 20:34:57.000000000 +0200
+++ libcap2-2.66/debian/patches/series 2025-03-15 13:43:35.000000000 +0100
@@ -2,3 +2,5 @@
Filter-out-PIE-flags-when-building-shared-objects.patch
Correct-the-check-of-pthread_create-s-return-value.patch
Large-strings-can-confuse-libcap-s-internal-strdup-code.patch
+pam_cap-Fix-potential-configuration-parsing-error.patch
+Add-a-test-for-bad-group-prefix.patch
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
